Mitnick In The News

From Reporter to Private Investigator to Security Engineer

How I fell in love with coding and traded in a camera-rigged Prius for a MacBook and a GitHub account.

"You’ll receive an email with a first name, last name and a ticker symbol,” the hedge fund manager told me. "I don’t care how many hours you bill. Just understand that I will trade money on whatever you turn up."

Never in a million years did I think I’d be a private investigator. Or a security engineer in Silicon Valley. I studied journalism in college with the goal of working on the investigative team at one of the major dailies: New York Times, Washington Post or the Wall Street Journal.

I started at the main daily paper in Marin where I developed a reputation for writing the long, drawn-out, data-driven pieces published above-the-fold on the front page of Sunday papers.

That’s how the hedge fund manager got to know me.

After doing a couple projects for him, he invited me to an intimate batting practice party. He rented out AT&T Park in its entirety. It was the same extravagant party that opened Season 2 of Silicon Valley: A dugout full of catered food, an open bar, and networking. One attendee told me he was a private investigator. A few weeks later, after some finessing, the state designated me PI #26458.

For the next eight years I conducted surveillances, worked undercover on a corporate jury-tampering trial, hired people in South America to take photographs of American products being sold inside a mall reportedly owned by Hezbollah, hunted car thieves for Enterprise Rent-A-Car, set up a team of former newspaper reporters to search for assets owned by every single person who was a net winner in the Bernie Madoff Ponzi scheme, and conducted background checks for the NBA. I bought the plainest car possible — blue, base model Toyota Prius — and rigged up a stop-motion HD video camera in the roof rack so I could park and leave it in front of places where a person sitting in a car for an entire day wouldn’t draw suspicion.

Lawyers, hedge fund managers, politicians, businesses, venture capitalists, and even big international detective agencies turned to me when they hit the end of the line of their own abilities. More often than not, I had never done exactly what I was proposing and everyone knew I’d have to figure it out as I went along. That turned out to be a great skill later on.

Three key things happened within a short span of time around 2014:

I read Ghost In The Wires, an autobiography by notorious hacker Kevin Mitnick

The ocean of data available via public APIs landed on my radar

Software bootcamps became a thing\

As a P.I., I had always spent money liberally to learn any new skill that would help me become a better, more creative problem solver. Reading Mitnick’s book opened my eyes to how much soft skills and raw persistence drove technical hacking. The same week a software developer quoted me $20,000 to build a custom business development tool, I saw an ad for one of the first bootcamps and it was half the cost of the bid. On a whim, I enrolled and started a week later with the assumption that I could learn enough to build my tool and return to my practice.

A funny thing happened though: I fell in love with software.

The Python-focused curriculum was a mess and only two of the 20 or so students landed full-time gigs. That was okay, though. Everyone was incredibly supportive and I was hooked on something new. After returning to client work, I found myself spending most of my day tinkering with code tutorials and pushing the paid investigative work late in the afternoon. When a colleague initiated merger talks shortly thereafter, closing up shop was an easy decision. My brain had moved on.

It felt strange considering another bootcamp, but I wanted to get proficient as fast as possible and earn a living working on software. Hack Reactor looked like the fastest way there.

Once I got accepted, it really was as brutal as everything I’d heard. They took for granted that I could code and drilled us on things like algorithm design, time complexity of different search methods, and test coverage. And even though the program focuses exclusively on Javascript, the goal is to produce engineers who can learn any language quickly and solve problems with it.

While searching for an engineering job, I attended security meetups, took a class about using the Burp Suite exploitation tool, wrote blog posts for the Wall of Sheep group from the Defcon security conference and, with a friend, set up a Chromebook with the Kali Linux penetration testing tools. I also spent two months teaching front-end web development to a dozen low-income girls of color through an amazing program called Mission Bit. Once again, I found myself in a profession that wasn’t part of the plan. Me, teaching coding.

When a friend of mine heard about my volunteer work, he encouraged me to apply for a job at his company: CircleCI. I solved their timed code challenge, passed the interviews and got hired. Just like Hack Reactor predicted, I landed a gig where no native Javascript is written. And not only that, we use Clojure, which is a Lisp dialect and not even an object-oriented language. I started as a support engineer helping customers learn to use our platform. During slow periods and holidays, I holed up in the office and taught myself Clojure.

While the company began recruiting a security engineer, I picked up the slack out of raw curiosity about how our system worked through the lens of security. It started with answering security questionnaires from customers and quickly morphed into using my journalism skills to document the security processes already in place. When I volunteered at the BsidesSF security conference this winter, everyone told me the company should promote within and hire me. Which is exactly what happened. These days, I’m doing a lot of what I did with my P.I. agency: hiring vendors, managing subcontractors’ projects, creating budgets, and figuring out creative ideas to solve problems. But I also jump into the code to solve problems when needed and that’s my favorite part.

One of the most exciting things I’m looking forward to this year will be hosting security workshops for engineers. The goal is to not just explain things like SQL injection to our engineers, but to turn them loose on a deliberately vulnerable application and give them time to break it. I want them to think like hackers so they can design better systems.

My newfound security engineering focus is a stakeout of a different kind. I’ve traded my Prius for a MacBook and a GitHub account. But I’m still looking in the shadows, searching for flaws and vulnerabilities.